Certbot renew hook not firing


#1

Hi Guys,

Currently using Certbot from the Debian package on Debian 8. It all works fine except the renew process. The renew process is triggered from cron, and I have a renew hook. The renew process works fine, but the hook isn’t getting fired. If I run the hook manually it works. Here is my Cron file:

/etc/cron.d/certbot: crontab entries for the certbot package

Upstream recommends attempting renewal twice a day

Eventually, this will be an opportunity to validate certificates

haven’t been revoked, etc. Renewal will only occur if expiration

is within 30 days.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 /12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew --renew-hook "cp /etc/letsencrypt/live/server.domain.com/{fullchain.pem,privkey.pem} /etc/exim4/ && chown root:Debian-exim /etc/exim4/.pem && chmod 640 /etc/exim4/*.pem && service exim4 reload && service nginx reload"

Thanks,
Andrew.


#2

I think the problem may be the use of shell syntax inside the renew-hook. I haven’t figured out exactly what will happen in this case but I don’t believe the Python subprocess.Popen uses bash to run the hooks.

Certbot’s hooks.py clearly uses this method to execute the hook; I checked with

subprocess.Popen("echo {foo, bar, baz}", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.read()

and it returned "{foo, bar, baz}", which then confirms that bash syntax like that can’t be used in a renew-hook. I would suggest making your own separate shell script and then running that script as the renew-hook.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.